12:50:24 <c0mm4nd> Hello guys, I have a question on the monero tx. Do you know whether the "public key" in one tx's output will get reused when the public key owner receiving another tx, and is it a real public key from the private key?
12:52:14 <moneromooo> What you are asking is unclear. You might have been asking "can an output public key be reused on the chain be reused ?". If so, then yes, if the sender sends to the same recipient with the same tx secret key (which would be dumb).
12:53:51 <c0mm4nd> If it appears in the key image, is it means that the public key owner maybe the sender of the tx?
12:57:06 <c0mm4nd> "is it a real public key from the private key?" => "it is a public key directly generated by ECDSA or get any additional encryption on the raw public key like btc address?"
12:58:41 <moneromooo> You're too unclear. I thought you were on about output public keys. If you're on about key images, make your question precise.
12:59:05 <moneromooo> But duplicate key images will not be accepted on the chain.
12:59:32 <moneromooo> Duplicate pubkeys would cause duplicate key images too, if that's what you were asking.,
13:02:50 <c0mm4nd> I'm sorry. I just want to ensure that whether the sender's public key will get leaked in the key image's Public Key list, for example in https://localmonero.co/blocks/tx/7d1d98cebf080a545c08b2f89e11b5298fcc0636da23e6a219ba0fac355e6011  expand the key image there is a d21ff... public key, is this key maybe belongs the the sender of this tx?
13:08:13 <c0mm4nd> sorry, a944e... public key, not d21ff...(this is the key image)
13:08:34 <moneromooo> A key image belongs to an output. The key image is different from the output pubkey.
13:09:15 <moneromooo> If you have a key image, it will belong to someone, yes. But from that key image, you can't get either the output pubkey it's from nor the wallet address it was created for.
13:09:36 <moneromooo> At most, you can get a set of 11 (usually) output pubkeys it might correspond to.
13:15:39 <c0mm4nd> Thanks for your clear answer!
16:31:17 <UkoeHB> Btw there is one advantage to Seraphis that I forgot about (this applies to the address-friendly Seraphis adjustment as well). Multisig participants can create key images, so they can do full balance recovery without tedious interactions to reconstruct key images.
17:02:20 <luigi1112> is that same for view key holders of non-ms?
17:19:28 <UkoeHB> Seraphis allows a lot of different wallet permission schemes, but in the address-friendly adjustment anyone with the private view key can do full balance recovery.
17:20:30 <UkoeHB> It's less of an 'adjustment' and more like an a different protocol - but the two protocols use similar concepts.
19:26:37 <UkoeHB> Seraphis github: https://github.com/UkoeHB/Seraphis
19:26:37 <UkoeHB> I welcome comments/feedback, help on security proofs/models/etc. Ping for: coinstudent2048[ 
20:20:35 <jtgrassie> blinding should be binding throughout
20:21:25 <UkoeHB> ?
20:21:28 <jtgrassie> they are not "blinding factors" but "binding factors"
20:22:25 <jtgrassie> commitments are bound, not blinded.
20:24:39 <UkoeHB> Please search for the word 'blinding' in this paper and note its first appearance: https://web.stanford.edu/~buenz/pubs/bulletproofs.pdf
20:27:13 <jtgrassie> your paper uses "blinding" 10 times. The fact other papers make the same mistake is besides the point. Just a recommendation to use the correct terminology.
20:47:11 <UkoeHB> Can you provide a source that 'binding' is the correct term?
20:54:51 <jtgrassie> https://en.wikipedia.org/wiki/Commitment_scheme
20:55:12 <jtgrassie> (one of many)
21:00:57 <luigi1111w> there's no "binding factor" there
21:01:50 <UkoeHB> computation binding is a property of pedersen commitments
21:02:30 <UkoeHB> blinding factor is a common term for the... blinding factor
21:03:41 <jtgrassie> "this is called the binding property"
21:06:02 <UkoeHB> _property_ not _factor_
21:07:07 <jtgrassie> One binds a commitment, and it (in a pedersen commitment) is computationaly binding.
21:08:59 <luigi1111w> it's bound via DL problem, and unconditionally hidden via the ... factor
21:14:40 <UkoeHB> yeah 'blinding factor' seems a pretty common term, but I don't see 'binding factor' used anywhere
21:16:54 <jtgrassie> fair enough
21:17:19 <jtgrassie> the original CT text calls it that too
21:26:40 <jtgrassie> it's a great well written draft in any case, so thank you
21:42:31 <UkoeHB> 🙏
21:42:44 <sarang> Binding is a property of a commitment construction. Pedersen commitment masks are often called blinding factors
21:46:04 <sarang> TBH it's an unfortunate choice of terms, since they sound so similar...
21:56:35 <moneromooo> We could just change to bounding and bending.
21:57:01 <moneromooo> bonding. blending.
23:02:13 <coinstudent2048[> Forked it. Don't expect too much, I messed up some math in the Lounge before 😊... but I do what I can.
23:04:29 <UkoeHB> I'd be happy to hear your thoughts